Intercontinental Exchange to pay $10M SEC penalty over VPN breach – Source: www.bleepingcomputer.com

The Intercontinental Exchange (ICE) will pay a $10 million penalty to settle charges brought by the U.S. Securities and Exchange Commission (SEC) after failing to ensure its subsidiaries promptly reported an April 2021 VPN security breach.

ICE is an American company listed on the Fortune 500 that owns and operates financial exchanges and clearing houses worldwide, including the New York Stock Exchange (NYSE). In 2023, it employed over 13,000 people and reported a total revenue of $9.903 billion.

As Regulation Systems Compliance and Integrity (Regulation SCI) requires, firms must immediately notify the SEC about security incident intrusions and provide an update within 24 hours unless they determine the impact on their operations or market participants is negligible.

“The respondents subject to Reg SCI failed to notify the SEC of the intrusion at issue as required. Rather, it was Commission staff that contacted the respondents in the process of assessing reports of similar cyber vulnerabilities,” the SEC said.

“As alleged in the order, they instead took four days to assess its impact and internally conclude it was a de minimis event. When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.”

ICE discovered the incident on April 15, 2021, after a third party informed it of a potential system intrusion linked to an unknown vulnerability in its virtual private network (VPN).

Breached by suspected state hackers

A subsequent investigation revealed that a threat actor deployed a malicious payload on a compromised VPN device used for remote access to its corporate network.

“Sophisticated threat actors, believed to be nation-state actors, installed a webshell code onto a compromised VPN device in an attempt to harvest information passing through that device, including employee name, password, and multi-factor authentication codes. This data could allow the threat actor to access internal corporate networks,” the SEC’s order reveals

However, ICE’s security team was able to determine that the attacker’s access was limited to a single compromised VPN device, even though it found evidence that the threat actor was able to exfiltrate “VPN configuration data and certain ICE user meta-data.”

The SEC says that ICE staff did not notify the legal and compliance officials at the company’s subsidiaries about this VPN security breach for several days, violating both Reg SCI rules and ICE’s own internal cyber incident reporting procedures. As a result of this failure, ICE subsidiaries failed to assess the intrusion properly and did not meet their Reg SCI disclosure obligations.

ICE and its subsidiaries consented to the SEC’s order, acknowledging that the subsidiaries violated the notification provisions of Regulation SCI and that ICE caused these violations.

Without admitting or denying the SEC’s findings, ICE and its subsidiaries also agreed to a cease-and-desist order requiring them to stop violating Reg SCI rules and to pay a $10 million civil money penalty.